DHCP Snooping

DHCP Snooping

DHCP被用于动态地址分发,极大的降低了终端接入网络的简易性,但是协议本身没有任何的安全保护机制,非常容易被针对***。同一广播域中一旦出现虚假DHCP Server,终端获取的地址将极有可能是虚假DHCP Server推送的IP地址,导致广播域中很大一部分终端无法上网。

DHCP Snooping功能概述
  • 对非信任接口收到的DHCP等报文过滤
  • 限制DHCP速率
  • 维护DHCP snooping binding database
  • DAI需要DHCP snooping binding database的信息
    DHCP Snooping报文过滤

    当DHCP Snooping功能在相应vlan开启后,在不信任的接口在收到以下报文会产生丢弃行为

  • 当收到源MAC地址和DHCP客户端硬件地址不匹配
  • 当收到DHCPRELEASE、DHCPDECLINE报文但是和DHCP Snooping数据库中的绑定条目不匹配
  • 当收到DHCP packets含有options-82选项
    DHCP Snooping 82选项插入

    开启DHCP Snooping的就交换机在收到DHCP报文时会对报文插入82选项

  • option-82信息包含交换机MAC、端口身份、vlan-mod-port(如下图)
    DHCP Snooping
  • 如果开启802.1x,option-82内包含Radius认证信息
  • 包含中继地址
    DHCP Snooping database


DHCP Snooping

默认DHCP Snooping开启功能
OptionDefault Value/State
DHCP snoopingDisabled
DHCP snooping host tracking featureDisabled
DHCP snooping information optionEnabled
DHCP option-82 on untrusted port featureDisabled
DHCP snooping limit rateNone
DHCP snooping trustUntrusted
DHCP snooping vlanDisabled
DHCP snooping spurious server detectionDisabled
DHCP snooping detect spurious interval30 minutes
DHCP Snooping配置

DHCP Snooping

Client#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp    #接口地址启用dhcp
SW1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW1(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW1(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速
SW2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 10
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW2(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW2(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted  #将连接下游交换机接口配置允许含option82数据包通过(默认非信任端口自动丢弃)
DHCP#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test  #配置DHCP Server
DHCP(config)#ip dhcp relay information trust-all #所有IOS配置的DHCP Server对于DHCP插入option82选项的报文检查中继选项,如果中继选项为0.0.0.0丢弃报文。(另外一种接解决方案可以关闭插入option82选项在交换机上,大神说关闭这个选项影响性能详见:https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877)
DHCP Snooping 终结

除了上述一些功能外,dhcp snooping还有以下的特性


解决IP地址冲突的完美方法--DHCP SNOOPING 使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。 例子: version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service compress-config ! hostname C4-2_4506 ! enable password xxxxxxx! clock timezone GMT 8 ip subnet-zero no ip domain-lookup ! ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制 ip dhcp snooping ip arp inspection vlan 180-181 ip arp inspection validate src-mac dst-mac ip errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause l2ptguard errdisable recovery cause psecure-violation errdisable recovery cause gbic-invalid errdisable recovery cause dhcp-rate-limit errdisable recovery cause unicast-flood errdisable recovery cause vmps errdisable recovery cause arp-inspection errdisable recovery interval 30 spanning-tree extend system-id ! ! interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机 ip arp inspection limit rate 100 arp timeout 2 ip dhcp snooping limit rate 100 ! interface GigabitEthernet2/2 ip arp inspection limit rate 100 arp timeout 2 ip dhcp snooping limit rate 100 ! interface GigabitEthernet2/3 ip arp inspection limit rate 100 arp timeout 2 ip dhcp snooping limit rate 100 ! interface GigabitEthernet2/4 ip arp inspection limit rate 100 arp timeout 2 ip dhcp snooping limit rate 100 --More-- 编者注:对不需要明确地址的所有人的时候是一个很好的解决办法。另外,可以查看www.cisco.com的 IP Source Guard Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.




当前余额3.43前往充值 >
领取后你会自动成为博主和红包主的粉丝 规则
钱包余额 0


